Developing a Mobile Strategy

 

When considering a mobile strategy for your organization, your team needs to be concerned about security to ensure that your business-critical data is not exposed or stolen by employees or hackers. You need to think about security at two levels: the hardware level (the mobile device itself), and the application level (the software that runs on the device).

Security at the Hardware Level

At the hardware level, most mobile device manufacturers provide multiple levels of built-in security. For example, fingerprint and facial recognition security measures are becoming more common, which help to ensure that access to the device is limited to the unique user. Additionally, most devices automatically encrypt data stored on them with 256-bit AES encryption when they are. A recent article claimed a brute force attack utilizing over fifty supercomputers that could check a billion, billion (1018) AES keys per second would require about 3 × 1051 years to exhaust the 256-bit keyspace to expose data. Considering this, it would be a herculean effort for an attacker to expose data on a locked and encrypted device.

Security of  Mobile Applications

Mobile applications can be vulnerable, but reputable business application vendors are also aware of the threats and incorporate additional levels of security to prevent data breaches on mobile devices. For example, access to critical applications is typically secured using minimum password requirements and other methods such as Two-Factor (2FA) or Multi-Factor authentication (MFA). Data transmitted to and from servers is encrypted using 256-bit AES transport layer security (i.e. HTTPS). Some vendors will also provide their own layer of encryption for application data so that, even if the hardware level encryption were to be breached, application data would be protected. For the most part, mobile data security is pretty solid and there have been no recent reports of data breaches from smartphone users using a business-based application.

Mobile Security Education for Users

At a recent roundtable discussion, a federal cybersecurity agent explained that the biggest threat to a data breach or access to confidential information on a mobile device is the user. You can lock down your data with the best security in the world and use mobile device management (MDM) tools to prevent users from installing unauthorized apps, but you can’t stop a user from human error. Users that are not educated on security can inadvertently expose data by not using passwords, 2FA/MFA security, writing their password down in an unprotected space, or unlocking their device and letting someone else use it. They can even expose information by using non-business-related apps.

Can apps access other apps’ data?

Apps may not be able to directly access other apps’ data, but they can expose information about the user’s behavior that could be used for other clandestine purposes. This can be best illustrated by the recent report in late January from the US military regarding the use of a health app or health tracking bracelets. Military personnel that were using these apps and devices to track their running progress were exposing GPS data that mapped their running routes. Although this data seemed harmless, it was later made publicly available on the web and revealed several hidden military locations and movement patterns of personnel. Fortunately, this was addressed quickly, and staff were educated on the risks of non-secure mobile applications and devices, and new policies were put in place to reduce future threats.

Keep your Company Safe

Understanding security is an important issue to consider when moving to mobile data collection. You need to ensure that you are working with your vendor to understand their security architecture, threat detection, data breach, and security enforcement. Most importantly you need to formalize processes and training for your users to ensure that they fully understand the threats, risks and best practices to ensure that they don’t inadvertently put your company or staff at risk.

600 replies

Comments are closed.